I came across a unique client requirement to deploy an application using interactive mode. In this post, you shall see how to use ServiceUI with Intune to Bring SYSTEM Process to Interactive Mode while deploying an application.
Let’s learn how to make Intunewin32 application deployment with message popup. Well, not with user access but with System access. I wrote a couple of posts on Intune win32 based app deployment (Part 1 and Part 2).
Every program on your computer needs a process. Each process belongs to a Session. In the windows operating system, the system process executes in session 0 and the user process in Session 1 and above.
By design, it is a security control that prevents user process interference with the system process. In this post, we will discuss how to bring the system process to interactive mode during intune deployment.
- Session 0 hosts System process which including Intune app install process
- Session 1 hosts User logon and user-initiated process
We can see the process and session details from the task manager. By default, Windows will not show you the Session ID. You can see it by clicking on the View menu item -> “Select Columns…” Turn on the option “Session ID”.
By default, Intune uses system context to install an application that will be in session 0. A user in session 1 will not be able to view any dialog box or message box from intune. There will be some scenarios that need end-user interaction with the Intune process.
Below are some of the them.
Scenario 1: Some apps cannot be packaged because of the way software developed. Or user needs to interact with apps during installation to input the license key. So how this type of apps can deploy from Intune.
Scenario 2: If IT wants to give a pop-up message to end user before apps installation. For example: Provide notification to end user to close IE.
The solution for both above scenarios is to bring system process from session 0 to session 1. There are 2 approach to achieve this.
Change the Installation Behavior
By default, App install behavior is System. As shown below I changed from “System” to “User”.
This approach launches the installation of the app under the user context instead of the system context. As shown below you see the install process context details from the Log – IntuneManagementExtension.log
The drawback of this approach is user permission. Based on the apps, the user interacting with the installation may need elevated rights.
Use the ServiceUI with Intune
ServiceUI is an executable that comes with Microsoft deployment toolkit. ServiceUI can detect the user session and allow user interaction. You can download MDT from here and install it. Once MDT installed you can find the exe in the below path. The syntax is shown below.
Let’s discuss how to use the serviceui along with intune
Step 1: Copy the serviceui64.exe to your package source file folder as shown below. Then Convert install source folder to intunewin format for Intune deployment. For more details on Intune, win deployment refer here.
Step 2: Upload the intunewin file to intune. For more details refer here.
Step 3: Configure the command line as shown below. In install command make sure you Call ServiceUI using a process that the end user is running.
In the below example, I used “explorer.exe” because it exists in every user session. This enables ServiceUI to detect the session of the end-user and allow it to interact with it.
ServiceUIx64.exe -process:explorer.exe Install.bat
Result Scenario 1
User will get installation wizard to interact as shown below.
NOTE: installation wizard launched in system context even though user can interact.
Result Scenario 2
If you have a requirement to sent a popup message then you can write a script and deploy as intune win32 apps.
- Intune Management Extension Level 3 Troubleshooting Guide Intune win32 App
- Intune Win32 App Failure Log Collection Backend Secrets
- Intune Application Model Deployment Guide